Anyone in #NixOS land running software trough #Firejail?

It seems really interesting as an alternative to SELinux, but meant for encapsulating the most at risk applications.

:revblobfoxread:

https://nixos.wiki/wiki/Firejail

So... Apparently, #FireJail breaks if I put the user's home directory inside /run/user/[uid]/home

Need some help with #firejail: how can I set #mpv to always open with firejail?

I read some documentation about symlinks and profiles, but I'm still new to all this. In my case, when I open with terminal, I use:

firejail --net=none mpv <filename>

But most of the time I open videos using Gnome Files app, so I'd like to make mpv open with --net=none by default when clicking in a video in the files app.

#askfedi #askmastodon #askfediverse #linux #arch #security

@TiffyBelle @flaminghohners T/y. That was an interesting read, & ostensibly disturbing. Ostensibly.

My geeky-user-but-NO-expert familiarity with #Firefox [#Nightly, specifically] & chromium-based browsers [on my (#Linux only) pc's that's #VivaldiSnapshot & #Chromium] extends to matters of features, functions & privacy. Security, in the context of that paper & its links, is way beyond my knowledge, so it'd be silly of me to attempt any technical disparagement of that paper.

I shall note, though, that browser development is a pretty fast-paced project, such that i do wonder about the contemporary validity of any paper written several years ago. The paper was last edited March 19th, 2022, so clearly not too bad. However, & IMO most unfortunately, ALL its purportedly supportive links to external references are VERY old, ranging from newest of 2020, to oldest of 2011, with a perceived median around 2016.

For instance, the linked paper's linked paper "Exploiting and Protecting Dynamic Code Generation", says on p10, within "A. Setup", that

>The operating system is the 64-bit Ubuntu 13.04 with kernel 3.8.0-35-generic

That version was released in early 2013.

I suspect this potential "technological aging" makes many or maybe most of the underlying claims rather dubious today, unless & until a contemporary reappraisal by technically competent peeps were done, based on current #Firefox code, not on how it used to be many years ago. Maybe the conclusion would not change? Maybe it would? 🤷‍♀️

Other Thoughts, fwiw.

Even with a generous assumption that all claims in that paper remain technically valid today [tbc], for many browser users in countries / jurisdictions not overtly fascist & dictatorial, who as individuals are unlikely to be targeted by state-actors, i respectively opine that the larger more probable safety hazard to them might come from #privacy, not #security, breaches. To that extent, i note these:

- #uBlockOrigin is more powerful in Firefox than in chromium browsers, due to the latter having no support for CNAME-uncloaking

- Google is actively striving, via its Mv3 replacement for Mv2, & its egregious FLoC / Topics crap, to further weaken uBO & all other #adblockers. Otoh, Mozilla intends indefinite Firefox support for Mv2, albeit also with added Mv3 compatibility.

-- #AddOns / #Extensions like #uBO are far more than "only" adblockers. By running in "hard mode" for instance, & liberally creating a suite of global & per-site dynamic filters, AND having #Javascript globally disabled but allowed by the user on favoured sites, great privacy protection is afforded. Google's plans are to actively weaken this user privacy in Chromium.

- sadly, silly insecure-by-design MS Windows remains the world's dominant OS. Yet for those alert to the Windows hazards & willing to make a change, #Linux provides vastly more security & privacy by design.

- As well, both dominant #Linux #DesktopEnvironments & at least one #WindowManager, now provide stable everyday #Wayland capability instead of the ancient insecure #X11 / #Xorg #DisplayServer -- thus eliminating one classic security vulnerability mentioned in the paper/s.

- Linux users can avail themselves of even more privacy by #sandboxing their apps. There's several choices; i use #Firejail. Therefore browsers [& all other relevant apps] cannot access any of the user's private data beyond the sandbox's bounds.

DNS: Warum ist ein DNScrypt-Proxy sinnvoll?

So ist man sicherer im Netz unterwegs.

#Firejail #FirejailDNS #DNScrypt #Privacy #Linux

https://gnulinux.ch/dns-warum-dnscrypt-proxy

@fiveEyedBeast @mepi0011 @kde Ha, you fixed it! 😉 You had many of us rather confused... & scrambling to see if there was a new kid on the block. 😜

Fwiw, I began using #KMyMoney 12 years ago [i had to check that just now, coz IMO it feels even longer]. Initially i tried #GNUcash, but rapidly tired of its absence of good user-configurable reports [& several other things]. #KMM isn't perfect ofc, but overall it's still pretty wonderful.

I explicitly do not use any online bank reconciliation, in fact, via #Firejail i specifically block KMM from having any internet access at all. Ergo, i do all my account reconciliations manually each month. For my use-case, KMM is a boon.

Make your web browsing a little safer by using #Firefox in Linux Mint #WebAppManager (also installable on other distros: https://ubuntuhandbook.org/index.php/2021/01/install-linux-mints-web-app-manager-ubuntu-20-04/amp/) combined with #Firejail

Effectively you utilize a ‘Firefox profile’ through the Web App Manager to expose a single authorized site (like any of your social media accounts) as a separate app.
In the background Firejail makes sure your system is shielded from the Firefox process. As an example: only the default Downloads folder is accessible

Firetools ist eine grafische Benutzeroberfläche (Qt5) für die Linux-Sandbox Firejail. 👇

https://github.com/netblue30/firetools

#firejail #firetools #sandbox #linux #security #qt5

@jf @vwbusguy

Yep i concur. I pointed it out per my earlier post, not to imply i thought it was "sufficient", but instead merely that it is "something" in case any users hadn't noticed it there yet.

Personally [as a geek enduser NOT a Dev], i remain wedded to "classic" pkgs from "std" repos + when needed, the AUR [btw😜]. I *want* to control ALL my apps with my desktop theming, AND constrain them with #Firejail [of which I'm a big fan]. My current schema provides this. Otoh, FPs = meh, to me.

@dropbear42 I looked up #FireJail - it definitely sounds like something I need to have on a Linux environment. Many thanks! 😀

@Norobiik If LO eventually does this silliness, IMO my counter-attack would be automatic. Given i run all my apps anyway in #Firejail, including LO, when they have no business talking to the interwebz, i block them via my custom launch cmd. In this case:

`firejail --protocol=unix -- libreoffice`

I like FJ.

@fossesq Oh how i simply hate #SELinux. Bloody awful thing. I just disable it, then keep using #Firejail like in my other distros. Mind you, given so far i don't use #flatpaks much [still primarily an #ArchLinux user], i've not yet needed to worry about including them under the FJ umbrella. #Flatseal then, i suppose?

I'm re-doing some AppArmor profiles and attempting to confine electron apps more strictly in the process... I think this might be the wrong approach

Electron requires such broad access to both system resources and application configs/caches I think I'd probably be better served by using something like firejail to sandbox from the start

I could just refuse to use electron software, but it's becoming increasingly more difficult to avoid...
#linux #security #electron #AppArmor #FireJail

@dhaavi

Nice! I don't use an IDE with plugins on my Linux machine today, but I'll keep that in mind! Hadn't thought of it for GUI before. Does it forward X11?

Alternatively, might use #firejail to limit directories directly (which uses similar Linux APIs as Docker, without overhead of separate image/kernel, PID 1, and mounts). Not very different from how macOS sandboxes most of their Mac App Store apps these days, which also run with an alternate view of disk.

@frederic

Recently #ArchLinux delivered the new version of #firejail, ie, 0.9.70-4 -> 0.9.72-1. Unfortunately [but not uncommonly], the various changes broke my FJ launcher for #KeePassXC . It took several hours of tedious investigation & testing before i could pinpoint the two lines responsible, in the #KeePassXC FJ profile file. In case it helps anyone else, you need to delete or disable BOTH these [non-contiguous] lines:

`include disable-shell.inc`
`private-bin keepassxc,keepassxc-cli,keepassxc-proxy`

Кажется с убитым #firejail система шевелится ощутимо лучше.

https://www.linux.org.ru/articles/desktop/17042789?lastmod=1670101681353

#firejail #linux #guide

Guess who bricked their laptop with #firejail

@electrona I use all of them with diffrent profiles. My basic setup includes all of those three - firefox, brave and vivaldi, jailed by #firejail with #seccomp #apparmor and awesome #GrapheneOS hardened malloc library: https://github.com/GrapheneOS/hardened_malloc .

@LibreNyaa
you want to sandbox chrome? have you considered #firejail? I used it until I decided it was overkill